diff options
Diffstat (limited to 'testing/web-platform/tests/content-security-policy/unsafe-eval')
12 files changed, 411 insertions, 0 deletions
diff --git a/testing/web-platform/tests/content-security-policy/unsafe-eval/eval-allowed.sub.html b/testing/web-platform/tests/content-security-policy/unsafe-eval/eval-allowed.sub.html new file mode 100644 index 0000000000..186996311b --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/unsafe-eval/eval-allowed.sub.html @@ -0,0 +1,27 @@ +<!DOCTYPE html> +<html> + +<head> + <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline' 'unsafe-eval'; connect-src 'self';"> + <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> + <title>eval-allowed</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <script src="../support/logTest.sub.js?logs=[]"></script> + <script src='../support/alertAssert.sub.js?alerts=["PASS (1 of 2)","PASS (2 of 2)"]'></script> +</head> + +<body> + <script> + window.addEventListener('securitypolicyviolation', function(e) { + log("Fail"); + }); + + eval("alert_assert('PASS (1 of 2)')"); + + window.eval("alert_assert('PASS (2 of 2)')"); + </script> + <div id="log"></div> +</body> + +</html> diff --git a/testing/web-platform/tests/content-security-policy/unsafe-eval/eval-blocked-and-sends-report.sub.html b/testing/web-platform/tests/content-security-policy/unsafe-eval/eval-blocked-and-sends-report.sub.html new file mode 100644 index 0000000000..998a616652 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/unsafe-eval/eval-blocked-and-sends-report.sub.html @@ -0,0 +1,30 @@ +<!DOCTYPE html> +<html> + +<head> + <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> + <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'; connect-src 'self';"> + <title>eval-blocked-and-sends-report</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <script src='../support/logTest.sub.js?logs=["PASS: eval() blocked.","violated-directive=script-src"]'></script> + <script src="../support/alertAssert.sub.js?alerts=[]"></script> +</head> + +<body> + <script> + window.addEventListener('securitypolicyviolation', function(e) { + log("violated-directive=" + e.violatedDirective); + }); + + try { + eval("alert_assert('FAIL')"); + } catch (e) { + log('PASS: eval() blocked.'); + } + + </script> + <div id="log"></div> +</body> + +</html> diff --git a/testing/web-platform/tests/content-security-policy/unsafe-eval/eval-blocked-in-about-blank-iframe.html b/testing/web-platform/tests/content-security-policy/unsafe-eval/eval-blocked-in-about-blank-iframe.html new file mode 100644 index 0000000000..054e75b527 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/unsafe-eval/eval-blocked-in-about-blank-iframe.html @@ -0,0 +1,61 @@ +<!DOCTYPE html> +<html> + +<head> + <meta http-equiv="Content-Security-Policy" + content="script-src 'self' 'unsafe-inline';"> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> +</head> + +<body> + +<p> + Eval should be blocked in the iframe, but inline script should be allowed. +</p> + +<script> + promise_test(async t => { + const document_loaded = new Promise(resolve => window.onload = resolve); + await document_loaded; + + const eval_error = new Promise(resolve => { + window.addEventListener('message', function(e) { + assert_not_equals(e.data, 'FAIL', 'eval was executed in the frame'); + if (e.data === 'PASS') + resolve(); + }); + }); + const csp_violation_report = new Promise(resolve => { + window.addEventListener('message', function(e) { + if (e.data["violated-directive"]) { + assert_equals(e.data["violated-directive"], "script-src"); + resolve(); + } + }); + }); + + frames[0].document.write(` + <script> + window.addEventListener('securitypolicyviolation', function(e) { + parent.postMessage({ 'violated-directive': e.violatedDirective }); + }); + try { + eval('parent.postMessage(\"FAIL\", \"*\");'); + } catch (e) { + if (e instanceof EvalError) + parent.postMessage(\"PASS\", \"*\"); + } + </sc` + `ript>` + ); + frames[0].document.close(); + + await eval_error; + await csp_violation_report; + }); +</script> +<iframe src="about:blank"></iframe> + +</body> + +</html> diff --git a/testing/web-platform/tests/content-security-policy/unsafe-eval/eval-blocked.sub.html b/testing/web-platform/tests/content-security-policy/unsafe-eval/eval-blocked.sub.html new file mode 100644 index 0000000000..7546082ee4 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/unsafe-eval/eval-blocked.sub.html @@ -0,0 +1,36 @@ +<!DOCTYPE html> +<html> + +<head> + <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> + <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'; connect-src 'self';"> + <title>eval-blocked</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <script src='../support/logTest.sub.js?logs=["PASS EvalError","PASS EvalError", "violated-directive=script-src"]'></script> + <script src="../support/alertAssert.sub.js?alerts=[]"></script> +</head> + +<body> + <script> + window.addEventListener('securitypolicyviolation', function(e) { + log("violated-directive=" + e.violatedDirective); + }); + + try { + eval("alert_assert('FAIL (1 of 2)')"); + } catch (e) { + log("PASS EvalError"); + } + + try { + window.eval("alert_assert('FAIL (1 of 2)')"); + } catch (e) { + log("PASS EvalError"); + } + + </script> + <div id="log"></div> +</body> + +</html> diff --git a/testing/web-platform/tests/content-security-policy/unsafe-eval/eval-in-iframe.html b/testing/web-platform/tests/content-security-policy/unsafe-eval/eval-in-iframe.html new file mode 100644 index 0000000000..bca5decd25 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/unsafe-eval/eval-in-iframe.html @@ -0,0 +1,49 @@ +<!DOCTYPE html> +<html> + +<head> + <title>eval-in-iframe</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <script src="/common/utils.js"></script> +</head> + +<body> + <p>This test checks that the CSP of calleeRealm only (and not of + the callerRealm) is checked for allowing eval.</p> + <script> + let tests = [ + { "directive": "script-src", "csp": "script-src 'unsafe-inline'" }, + { "directive": "default-src", "csp": "default-src 'unsafe-inline'" }, + ]; + + tests.forEach(test => { + let child = document.createElement('iframe'); + child.src = '/content-security-policy/unsafe-eval/support' + + '/echo-eval-with-policy.py?policy=' + encodeURIComponent(test.csp); + document.body.appendChild(child); + let msg = new Promise(resolve => { + window.addEventListener('message', e => { + if (e.source == child.contentWindow) + resolve(e.data); + }); + }); + + promise_test(async t => { + assert_equals((await msg).evalInIframe, "blocked"); + }, `(${test.directive}) Eval code should not execute ` + + `from iframe in iframe`); + promise_test(async t => { + assert_equals((await msg).evalInParent, "allowed"); + }, `(${test.directive}) Eval code should execute ` + + `from iframe in parent`); + promise_test(async t => { + assert_throws_js(child.contentWindow.EvalError, _ => + child.contentWindow.eval('1+1')); + }, `(${test.directive}) Eval code should not execute ` + + `from parent in iframe`); + }); + </script> +</body> + +</html> diff --git a/testing/web-platform/tests/content-security-policy/unsafe-eval/eval-scripts-setInterval-allowed.sub.html b/testing/web-platform/tests/content-security-policy/unsafe-eval/eval-scripts-setInterval-allowed.sub.html new file mode 100644 index 0000000000..19eac79812 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/unsafe-eval/eval-scripts-setInterval-allowed.sub.html @@ -0,0 +1,33 @@ +<!DOCTYPE html> +<html> + +<head> + <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> + <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline' 'unsafe-eval'; connect-src 'self';"> + <title>eval-scripts-setInterval-allowed</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <script src='../support/logTest.sub.js?logs=["PASS 1 of 2","PASS 2 of 2"]'></script> + <script src='../support/alertAssert.sub.js?alerts=[]'></script> +</head> +<pre> +<script> + window.addEventListener('securitypolicyviolation', function(e) { + log("Fail"); + }); + + var id_string = setInterval("clearInterval(id_string); log('PASS 1 of 2')", 0); + if (id_string == 0) + log('FAIL: Return value for string (should not be 0): ' + id_string); + + var id_function = setInterval(function() { + clearInterval(id_function); + log('PASS 2 of 2'); + }, 0); + + if (id_function == 0) + log('FAIL'); +</script> +</pre> + +</html> diff --git a/testing/web-platform/tests/content-security-policy/unsafe-eval/eval-scripts-setInterval-blocked.sub.html b/testing/web-platform/tests/content-security-policy/unsafe-eval/eval-scripts-setInterval-blocked.sub.html new file mode 100644 index 0000000000..2107ab8c33 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/unsafe-eval/eval-scripts-setInterval-blocked.sub.html @@ -0,0 +1,31 @@ +<!DOCTYPE html> +<html> + +<head> + <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> + <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'; connect-src 'self';"> + <title>eval-scripts-setInterval-blocked</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <script src='../support/logTest.sub.js?logs=["PASS","violated-directive=script-src"]'></script> + <script src='../support/alertAssert.sub.js?alerts=[]'></script> +</head> +<script> + window.addEventListener('securitypolicyviolation', function(e) { + log("violated-directive=" + e.violatedDirective); + }); + + var id = setInterval("alert_assert('FAIL')", 0); + if (id != 0) + log('FAIL: Return value for string (should be 0): ' + id); + + var id = setInterval(function() { + clearInterval(id); + log('PASS'); + }, 0); + + if (id == 0) + log('FAIL'); +</script> + +</html> diff --git a/testing/web-platform/tests/content-security-policy/unsafe-eval/eval-scripts-setTimeout-allowed.sub.html b/testing/web-platform/tests/content-security-policy/unsafe-eval/eval-scripts-setTimeout-allowed.sub.html new file mode 100644 index 0000000000..ba89c4e2f3 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/unsafe-eval/eval-scripts-setTimeout-allowed.sub.html @@ -0,0 +1,28 @@ +<!DOCTYPE html> +<html> + +<head> + <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> + <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline' 'unsafe-eval'; connect-src 'self';"> + <title>eval-scripts-setTimeout-allowed</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <script src='../support/logTest.sub.js?logs=["PASS 1 of 2","PASS 2 of 2"]'></script> + <script src='../support/alertAssert.sub.js?alerts=[]'></script> +</head> +<script> + window.addEventListener('securitypolicyviolation', function(e) { + log("Fail"); + }); + + var id = setTimeout("log('PASS 1 of 2')", 0); + if (id == 0) + log('FAIL'); + var id = setTimeout(function() { + log('PASS 2 of 2'); + }, 0); + if (id == 0) + log('FAIL'); +</script> + +</html> diff --git a/testing/web-platform/tests/content-security-policy/unsafe-eval/eval-scripts-setTimeout-blocked.sub.html b/testing/web-platform/tests/content-security-policy/unsafe-eval/eval-scripts-setTimeout-blocked.sub.html new file mode 100644 index 0000000000..2b6335e597 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/unsafe-eval/eval-scripts-setTimeout-blocked.sub.html @@ -0,0 +1,30 @@ +<!DOCTYPE html> +<html> + +<head> + <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> + <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'; connect-src 'self';"> + <title>eval-scripts-setTimeout-blocked</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <script src='../support/logTest.sub.js?logs=["PASS","violated-directive=script-src"]'></script> + <script src='../support/alertAssert.sub.js?alerts=[]'></script> +</head> +<script> + window.addEventListener('securitypolicyviolation', function(e) { + log("violated-directive=" + e.violatedDirective); + }); + + var id = setTimeout("alert_assert('FAIL')", 0); + if (id != 0) + log('FAIL'); + + var id = setTimeout(function() { + log('PASS'); + }, 0); + + if (id == 0) + log('FAIL'); +</script> + +</html> diff --git a/testing/web-platform/tests/content-security-policy/unsafe-eval/function-constructor-allowed.sub.html b/testing/web-platform/tests/content-security-policy/unsafe-eval/function-constructor-allowed.sub.html new file mode 100644 index 0000000000..8e6661b21c --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/unsafe-eval/function-constructor-allowed.sub.html @@ -0,0 +1,26 @@ +<!DOCTYPE html> +<html> + +<head> + <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> + <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline' 'unsafe-eval'; connect-src 'self';"> + <title>function-constructor-allowed</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <script src='../support/logTest.sub.js?logs=["PASS"]'></script> + <script src='../support/alertAssert.sub.js?alerts=[]'></script> +</head> + +<body> + <script> + window.addEventListener('securitypolicyviolation', function(e) { + log("Fail"); + }); + + (new Function("log('PASS')"))(); + + </script> + <div id="log"></div> +</body> + +</html> diff --git a/testing/web-platform/tests/content-security-policy/unsafe-eval/function-constructor-blocked.sub.html b/testing/web-platform/tests/content-security-policy/unsafe-eval/function-constructor-blocked.sub.html new file mode 100644 index 0000000000..1a7d320b68 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/unsafe-eval/function-constructor-blocked.sub.html @@ -0,0 +1,30 @@ +<!DOCTYPE html> +<html> + +<head> + <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> + <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'; connect-src 'self';"> + <title>function-constructor-blocked</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <script src='../support/logTest.sub.js?logs=["PASS EvalError","violated-directive=script-src"]'></script> + <script src="../support/alertAssert.sub.js?alerts=[]"></script> +</head> + +<body> + <script> + window.addEventListener('securitypolicyviolation', function(e) { + log("violated-directive=" + e.violatedDirective); + }); + + try { + (new Function("log('FAIL')"))(); + } catch (e) { + log("PASS EvalError"); + } + + </script> + <div id="log"></div> +</body> + +</html> diff --git a/testing/web-platform/tests/content-security-policy/unsafe-eval/support/echo-eval-with-policy.py b/testing/web-platform/tests/content-security-policy/unsafe-eval/support/echo-eval-with-policy.py new file mode 100644 index 0000000000..b9b3cfe03a --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/unsafe-eval/support/echo-eval-with-policy.py @@ -0,0 +1,30 @@ +def main(request, response): + policy = request.GET.first(b"policy") + return [(b"Content-Type", b"text/html"), (b"Content-Security-Policy", policy)], b""" +<!DOCTYPE html> +<html> +<script> +function check_eval(context) { + context.eval_check_variable = 0; + try { + id = context.eval("eval_check_variable + 1"); + } catch (e) { + if (e instanceof EvalError) { + if (context.eval_check_variable === 0) + return "blocked"; + else + return "EvalError exception, but eval was executed"; + } else { + return "Unexpected exception: " + e.message; + } + } + return "allowed"; +} + +window.parent.postMessage({ + evalInIframe: check_eval(window), + evalInParent: check_eval(parent), +}); +</script> +</html> +""" |